Web API token authentication with a custom user database

I stumbled upon a my solution while trying to implement json token authentication within web api. It is important to note that my solution handles authentication by sending a json token through the Authentication header of the Http request (not via cookies) and not using Microsoft.Identity framework.

Anyway, I basically implemented in a cookbook fashion the solution helpfully described here by Taiseer Joudeh: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/

The key thing to notice is the following bit of code:

//Dummy check here, you need to do your DB checks against memebrship system http://bit.ly/SPAAuthCode
        if (context.UserName != context.Password)
        {
            context.SetError("invalid_grant", "The user name or password is incorrect");
            //return;
            return Task.FromResult<object>(null);
        }

Naturally you would replace this bit of code above with your own method for checking your (presumably pre-existing) user database(s). Once I implemented this I realized that you don't need to use new code first identity framework that Visual Studio installs for you.

To make this work I did the following:

1) Created an an empty project and selected Change Authentication/Individual User Accounts. This installs most of the required references and files you need out of the box to use token authentication by way of cookies as well as the code-first identity framework files.

2) Edited these files following Taiseer Joudeh's lead. This requires some new objects such as CustomOAuthProvider.cs among others. And you need to implement your own user/password check by customizing this code block:

if (context.UserName != context.Password) { context.SetError("invalid_grant", "The user name or password is incorrect"); //return; return Task.FromResult<object>(null); }

Link to Taiseer Joudeh's instructions: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/

3) Pruned my project of extraneous files (AccountBindingModels.cs, AccountViewModels.cs, IdentityModels.cs, ApplicationOAuthProvider.cs, identityConfig.cs, AccountBindingModels.cs, AccountViewModels.cs). Basically, No more microsoft identity references.

I am sure the microsoft.identity thing is excellent, but I was annoyed with the code-first implementation of databases when I was already using some legacy databases of a different structure etc. Hope this helps. I am quite satisfied with the result (after a few days of messing around to get it to work).

Someone else, having the competence, can explain the options. But if authentication as service is an option, then check out Auth0 @ https://auth0.com

I have tested the service (as Azure plugin) using both HTML/JS- and native Windows Phone applications, against simple Sql Server table and AD. Works liek charm, near zero headache.

This is a good answer to a similar question. It basically says:

• Make a custom user class which implements IUser
• Define a custom user store which implements public class UserStoreService : IUserStore<CustomUser>, IUserPasswordStore<CustomUser>
• wire everything up

Since the answer is pretty extensive I just provided the basic steps... details are here: How to customize authentication to my own set of tables in asp.net web api 2?

This is also a very valuable content which also applies to web api:

Customizing ASP.NET Authentication with Identity by JumpStart

https://channel9.msdn.com/Series/Customizing-ASPNET-Authentication-with-Identity

HTH